病毒名称(中文):
病毒别名:
Email-Worm.Win32.Semapi.a[AVP]
威胁级别:
★☆☆☆☆
病毒类型:
蠕虫病毒
病毒长度:
13312
影响系统:
Win9xWinNT
病毒行为:
这是一个通过电子邮件传播的蠕虫病毒。该病毒运行的时候会弹出一个出错消息“无法定位semapi.dll,重新安装即可解决该问题”来迷惑用户,其实病毒会将自己拷贝到系统目录和A-Z的固定磁盘、移动磁盘和远程共享磁盘的根目录中,在某些特定类型的文件中收集邮件地址,并使用伪造的发信人向这些地址发送带有病毒的邮件,诱骗用户打开附件,从而导致感染该病毒。
1)建立一个互斥体“Dr.Doom”,防止病毒的多个实例同时运行。
2)将自己拷贝到:
%System%\AUTOEXE.exe
%System%\SKERNEL32.com
%SystemRoot%\Winbios.exe
%SystemRoot%\DRDOOM.EXE
3)添加注册表启动项:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"AUTOEXE"="%System%\AUTOEXE.exe"
"KERNEL32"="%System%\SKERNEL32.com"
"Win32Bios"="%SystemRoot%\Winbios.exe"
4)病毒运行的时候弹出如下一个消息窗口:
5)尝试将自己拷贝到A-Z的固定磁盘、移动磁盘和远程共享磁盘的根目录中。
6)将下列内容添加到“win.ini”中以便在Windows95/98/Me系统中实现自启动:
[WINDOWS]
RUN=%SystemRoot%\DRDOOM.EXE
7)从下列类型的文件中收集邮件地址
.htm*
.asp
.msg
.oft
.shtm*
.dbx
.tbb
.adb
.doc
.wab
.rtf
.vb*
.pl*
.ph*
.tx*
.eml
.js*
.wsh
.xm*
.ttf
8)向收集来的邮件地址发送带毒邮件
Ali
Allison
Allyson
Albert
Bob
Bobby
Catalin
Doug
Debby
Tom
Tommy
Michael
Larissa
Linsey
Lorena
George
Jim
Jimmy
James
Tim
Timmy
Seth
Veronica
Andre
Andrea
Allen
Amanda
Edward
Josh
Jay
Cari
Carly
Sonny
Andres
Trevor
Amy
Robert
Roberto
Rob
Jason
Anthony
Tony
Jeorge
Brittany
Britney
Melissa
Mel
Manual
Den
Denis
Shawn
Sean
Loren
Faviola
Devin
Devon
John
Jon
Jonny
Ron
Ronny
Rhonda
Sam
Samm
Sammantha
Mindy
Mike
Carlos
Juan
Mark
Hugo
Mat
后面接上下列某个域名
@aol.com
@yahoo.com
@mail.com
@hotmail.com
@fbi.gov
@cia.gov
@usa.com
@comcast.net
@teacher.net
@doctor.com
@help.org
@teens.org
@asia.com
@europe.com
@philippines.ph
@japan.jp
@england.uk
@gmail.com
@school.edu
@unknown.org
构成伪造的发送邮件地址
可能的邮件主题:
Yourdata
Re:Mydocs
Re:MyLetter
Re:ScreenSaver
Re:Test
AccountInfo
32bitInfo
chkdizk32preview
64bitcolor
giffix
Re:Look...
Re:ImSexxy:-p
Re:Whatever...
00000000000
.Batupdate
Re:MyFile
.jpegupdate
Re:MysexxyPic..
Re:Sexxy
ImSexxy..
DrWorm
test:-)
可能的邮件正文:
Yourdataisattached.
Mydocumentsisintheattachments.
Plzreadmyletterintheattachments.
Thescreensaveryourequestedisattached.
ISPTestfile"lsszr32.pif"isattached.
Youraccountinfoisattached.
Moreinfoattached.
Chkdizk32trial(32day).
64bitcolorupdateisattached.
.gifpicturesattached.
Plzlookatthefileattached.
Tolduimsexy...takealookatmypicintheattachments.
Whatever....justlookatthemsg.attached.
260972396723672396340676067396727632907963
.batupdate(MS-0010938)
Updateincludedintheattachments.
Myfilethatyouwantedisattached.
.jpegupdateattached.
Mysexxypicisattached...;-)(callme)
Imsexxy...myphone#isattached.:-)
Lookatmypicintheattachments.
DownloadDr.Wormmoreinfoisattached.testing....
可能的附件名:
dat.exe
mydoc.exe
myletter.exe
scrsaver.scr
lsszr32.pif
acount.exe
info32.exe
chkdizk32.exe
64bitcolr.pif
Lkigif32.bat
plzlook.exe
sxygurl.pif
whtev3k32.exe
00000.cmd
win32bat.exe
myfile.exe
jpeg64bit.pif
sxxypic.pif
looksxyy.exe
omgtehsexxy.exe
drworm.bat
drdsk2k.cmd
